What is NIS2?

To make the EU digitally safer, the EU published a new version of the Network and Information Security directive (“NIS2”) at the end of 2022. After the translation of NIS2 into national legislation by the Member States, it is expected to come into effect at the end of 2024.
NIS2 will be applicable to more sectors and entities than the current directive, with more explicitly described security measures and fines, stricter incident reporting obligations, and will empower national supervisory authorities.

What’s the difference between NIS1 and NIS2?

The new directive significantly expands the number of sectors and the focus areas (such as digital infrastructure: cloud services, telecommunications, data centres, DNS, and so on) to include vital, essential, and key sectors and their criticality:
• Digital infrastructure
• B2B management of ICT Services
• Postal and courier services
• Waste management
• Manufacturing, production and distribution (of chemicals, food, medical devices, computing and electrical equipment, amongst others)
• Digital Providers
• Research

Read our latest blog: NIS2 – what’s new?


What are the timelines?

NIS2 was approved and published by the EU at the end of 2022 and the implementation period of 21 months began in January 2023, during which the directive must be incorporated into national legislation. National laws are expected to enter into force at the end of 2024. From then, organisations must fulfill their duty of care and reporting.

Which organisations are in scope?

Entities in the sectors mentioned in the table below are in scope. NIS2 makes a clear distinction between “essential sectors” and “important sectors”.
Essential entities will be actively monitored by supervisory authorities, whereas passive supervision will be carried out on the important entities.

Essential sectors: Energy, Transport, Banks, Financial market infrastructure, Health, Drinking water, Waste water, Digital Infrastructure, ICT Service Management, Public Administration, Space
Important sectors: Postal and courier services, Waste management, Chemicals, Food, Manufacturing, Digital services, Research

NIS2 does not apply to entities employing fewer than 50 persons and whose annual turnover (or annual balance sheet total) does not exceed €10 million. Exceptions to this size criteria are, for example, providers of trust services and public electronic communication services.

Will there be central registers maintained with organisations in scope?

By April 2025, Member States shall establish a list of essential and important entities, and entities providing domain name registration services. For the purpose of establishing the list, Member States shall require the entities to submit at least the following information to the competent authorities:

(a) the name of the entity;

(b) the address and up-to-date contact details, including email addresses, IP ranges and telephone numbers.

The entities shall notify any changes within two weeks of the date of the change.

ENISA, the European Union Agency for Cybersecurity, will be responsible for the creation and maintenance of a registry for entities providing cross-border services e.g, DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, and data centre service providers. Entities in scope are obliged to provide the required information before 18th January 2025.

Is governance and liability addressed?

Management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities and oversee its implementation and can be held liable for infringements.

What does the duty of care mean for organisations?

Organisations must take appropriate measures for the security of network and information systems, including the physical environment. “Appropriate” means that they are tailored to the risks. The directive states that, among other things, there must be:

Information systems risk analysis and security policy
Incident Handling
Business continuity, such as backup management, contingency, and crisis management
Security of the supply chain and life cycle of network and information systems, including response to and disclosure of vulnerabilities
Policies and procedures for assessing the effectiveness of security measures
Basic cyber hygiene practices and cyber security training
The directive refers to European and international standards for the design of security measures and specifically mentions the ISO 27000 series. Guidelines for cyber security and hygiene are also available on websites of (semi) governmental websites e.g., the Centre for Cyber Security Belgium, the National Cyber Security Centre and the Rijksinspectie Digitale Infrastructuur (both in the Netherlands).

What does the duty to report mean for organisations?

The entities in scope of NIS2 must issue a preliminary alert for any significant incident (without delay) or any event, within 24 hours, and submit an incident report to the Computer Security Incidents Response Team (CSIRT) or competent authority within 72 hours at the latest.

Furthermore, entities will have the obligation to report changes related to the lists, with entities maintained by the European Union Agency for Cybersecurity (ENISA), and Member States.

What is the supervisory regime?

Member States will monitor compliance with NIS2-based legislation. The essential entities will be actively supervised. Important entities will be passively supervised, meaning supervising authorities will take action if there is reason to do so, e.g., in the event of an incident.

Supervising authorities will have the power to subject entities, at least, to on-site inspections, off-site supervision, regular and ad hoc audits, security scans, and requests for documentation and information.

What are the possible fines?

Administrative fines can be imposed on essential entities up to a maximum amount of at least €10 million, or up to at least 2% of global annual turnover.
Administrative fines can be imposed on significant entities up to a maximum amount of at least €7 million or up to at least 1.4% of global annual turnover.

How does NIS2 relate to GDPR?

The scope of NIS2 (essential and important entities providing activities in the EU) and GDPR (processing of personal data of EU residents) partly overlap. For both, adequate security measures must be in place and incidents must be reported to the competent authorities.

How does NIS2 relate to other directives and legislation?

If there is legislation in force in a specific sector with stricter rules relating to cyber security, this will take precedence, but only on the requirements that are more stringent. An example of this is the Digital Operational Resilience Act (DORA) concerning the financial sector.

Can organisations expect support during cybersecurity incidents?

NIS2 provides coordinated cybersecurity frameworks including national cybersecurity strategies, cyber crises management and collaboration at national and EU level including:

Each Member State shall designate or establish one or more Computer Security Incidents Response Teams. These CSIRTs shall cover at least the entities in scope of NIS2 and will be responsible for, e.g., the monitoring and analysis of cyber threats, vulnerabilities, and incidents at a national level, as well as providing early warnings, responding to incidents, and providing assistance to the essential and important entities concerned.
The European cyber crisis liaison organisation network (EU-CyCLONe) is established to support the coordinated management of large-scale cybersecurity incidents and crises at an operational level and to ensure the regular exchange of relevant information among Member States and Union institutions, bodies, offices and agencies.

Will certification be mandatory?

In order to demonstrate compliance with cybersecurity requirements, Member States may require essential and important entities to use particular ICT products, ICT services and ICT processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes. Member States shall encourage essential and important entities to use qualified trust services.

Pile of documents

Useful resources 

Fore more information about NIS2, and guidelines for good cybersecurity practices, make sure you visit:

Cyber Risk Management

Manage security risk in a coordinated, cohesive and consistent manner across all business units and functions.

Read more

Talk to us

Discuss your requirements with our expert team

    Our Accreditations and Certifications

    Crest Accreditation Resillion
    Check Penetration Testing
    RvA L690 Accreditation
    ISO 27001
    ISO 9001 Resillion
    CCV Cyber Pentest
    Cyber Essentials

    Contact Us